TorGuard copied its Chrome extension and implemented it insecurely

Ray Walsh

July 21, 2015

Yesterday VPN.ac went on the record to announce its discovery that rival VPN, TorGuard, has in fact copied the design for its Chrome extension. The discovery, which was made by one of VPN.ac’s customers, was first announced on Twitter where it caused quite a stir amongst the technology and infosec community.

Following the announcement, VPN.ac soon added a blog on the discovery to its website. In it they explain that not only has TorGuard stolen its design (a move that is strictly prohibited according to its terms of service,) but has also been using its geolocation API server address. That geo-IP API server belongs to VPN.ac, and it is now hosting this picture on it to prove that it is theirs.

VPN.ac has also revealed that by using its API server TorGuard has implemented its browser proxy service in an entirely insecure way, meaning that users of TorGuards Chrome extension have in fact not been receiving the secure service that Torguard’s product promises,

Explaining why they decided to go public with the announcement, VPN.ac’s blog says,

‘We make this public to avoid the awkward moment when someone might accuse us of copying them and not the other way around.’

This move, however, was not strictly necessary considering that anybody can use a program like CRX source viewer to view the open source code for its app. In this way, anyone can quickly verify within the webstore, that TorGuard’s app is indeed nearly entirely an imitation.

Add to this the fact that VPN.ac released its Chrome extension on December 17, 2014, and that even its Firefox extension was released in advance of TorGuard’s Chrome extension (this May), and you get a pretty clear picture of what has happened.

In its blog, VPN.ac was quick to point out just why using someone else’s API is such a huge mistake,

‘Fyi, using someone else’s API servers, as a VPN service, is a very irresponsible mistake – just terrible from a security & privacy point of view. What they do by using someone else’s servers such as our API service, essentially, is to expose all their Chrome Proxy users’ IPs to a competitor.’

Luckily for TorGuard, VPN.ac had no reason to log user IP addresses (because they offer a secure service and don’t look at IP addresses themselves). The truth, however, is that TorGuard have gotten off lightly because a more malicious competitor could have redirected them or forged the JSON replies to mess-up with the extension’s functionality. This sentiment was reiterated by Twitter user @blowdart who said,

‘@vpnac missed a chance for mischief, could have returned much more interesting things as location strings.’

In its blog, VPN.ac also goes on to explain other security aspects involved in the copycat extension, explaining, almost unbelievably, that TorGuard had failed to copy the most important parts of the code,

‘Not everything from our app was copied (they missed the good parts!), for example, the storage of credentials and the update of active servers via JSON queries:

TorGuard stores the credentials in clear-text; we are XORing the pass to protect it against spyware that will search all over the place for clear-text credentials.

The obvious risk of providing server IPs over HTTP is that they can be easily hijacked in a MitM attack;

TorGuard’s HTTPS proxy is highly insecure: uses insecure ciphers like RC4, supports SSL 3, is vulnerable to POODLE attack, doesn’t provide Forward Secrecy. Gets a shameful Grade C on Qualys test. Result mirrored (in case you don’t want to wait for the test to finish). And this is our result/mirror (FS enabled, no weak ciphers, support only for TLS 1.1 and 1.2)’

Luckily for TorGuard customers’ VPN.ac has not behaved in a harmful way, or decided to engage in any form of revenge tactics. Instead electing to move forward by simply announcing its discovery to the world – a move that it can not be faulted for.

For this reason, although we advise current TorGuard users to not be overly worried about the security breach, we do strongly recommend moving away from its VPN service in favour of something that has not been proven to be a total security let down.

Sadly, we have not been able to get a response out of TorGuard following the discovery. In fact, the only reply to the issue was directed at VPN.ac’s Twitter where it simply replied ‘K THX’ to the allegations. Not exactly an encouraging response to such an enormous issue from a reputable brand that has been caught with its trousers down.

Since the announcement, TorGuard has removed VPN.ai’s geo API servers from its app, but remains unapologetic for maliciously copying its app design.

Like it? Share it!

I am a freelance journalist and blogger from England. I am highly interested in politics and in particular the subject of IR. I am an advocate for freedom of speech, equality, and personal privacy. On a more personal level I like to stay active, love snowboarding, swimming and cycling, enjoy seafood, and love to listen to trap music.

ugh. I ran into this set of articles as I was researching tor guard prior to making a purchase. for most of you that don’t know (ye consumers) the most important part of buying an anonymous vpn is the trust in the supplier. If they are corrupt, or have investors that can control their traffic, they can see every authentication you run through the system … everything. So I was looking to make sure tor guard wasn’t based in china or something like that. then I ran into this mess between them and vpn.ac or whatever.
there was another service called anonymizer that I thought was acquired by a company where the executives were ex intelligence operatives. hmmm. I wondered about how this might effect the integrity of what goes through anonymizer.
not that i have anything to hide, but I want my privacy.
so … where am I? where are we? looks like you are far better trading off lots of vpn features for a trusted party based in a place like the united states.
of course, a pc windows with tor would be the best choice but windows is such a hotbed for malware and apt’s that you are better off with a chromebook trying to figure out alternatives like I am
so, I don’t feel so good about tor guard now
Not sure about a company that hides their management team and investors – I cannot find these people listed anywhere

wait, I’ll look on linked in now and report

there is only one guy who claims he worked at torguard in florida from 2011 to 2014

Did you even test these things before you posted this article? the SSLlabs claims are false, please test the proxies on torguard at ssllabs you will see that no RC4 ciphers are enabled and that SSLv3 or v2 are disabled, both are disabled….

I see the Chrome app IS using encryption, did you not check that too ? you should really check these things yourself before posting. The company is just looking for some traffic (as they seem to need it) and by the looks of it trying to fabricate a story out of (using an geo IP API) which would take requests from the proxies servers themselves (not exposing anyone).

Hi Tony
We did check and you’re correct that these issues aren’t existent anymore. However:
1) TorGuard didn’t deny anything and updated their application so it would be no surprise that they also updated the other problems pointed out by VPN.ac
2) VPN.ac was likely aware that this will happen and you can see the mirror images on their website of what they found
3) We were able to test the old TorGuard Proxy, as VPN.ac are hosting a mirror of this as well, and as pointed out, passwords weren’t encrypted in it.
4) We have contacted TorGuard, yet for such large and extensive accusations it’s surprising that we have not received a reply and they have been silent on Twitter as well. In such cases, we’d expect a company to say a bit more than “K THX”
Thanks for your interest in the article,
Ray

> the SSLlabs claims are false, please test the proxies on torguard at ssllabs you will see that no RC4 ciphers are enabled and that SSLv3 or v2 are disabled, both are disabled….

The fact that it’s been updated doesn’t mean it wasn’t an issue. And by the way, in current state the Qualys test still looks pretty bad. Perhaps they need some more time to figure out how to properly implement Forward Secrecy and such.

> I see the Chrome app IS using encryption, did you not check that too ? you should really check these things yourself before posting.

How about you check the affected version which is mirrored?

> The company is just looking for some traffic (as they seem to need it)

The company has made a legitimate disclosure on an event of having their product copied. How on earth is that an attempt to look for traffic? logic much?

> trying to fabricate a story

The evidence is right there and everything was already verified by people from the infosec community. Again, you can check yourself if you know how to do so (personally having some doubts on this). Torguard confirmed removal of geo IP service: why would they do that if a story is “fabricated”?

> which would take requests from the proxies servers themselves (not exposing anyone).

Once again, you don’t seem to understand how stuff works. The geo IP service is accessed BEFORE and AFTER establishing a connection. So that’s both using the user real IP and the proxy IP. It does expose the user. The code is right there for you to check when and how the geo IP is accessed.